Project

General

Profile

Actions

Bug #2205

open

Feature #4855: rules: refactor rule parsing into multi-stage parser

Buffer confusion with fast_pattern:only;

Added by Francis Trudeau over 7 years ago. Updated about 1 year ago.

Status:
Assigned
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

It appears that the logic for content relative to fast_pattern:only is broken. Using the following against the attached pcap:

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Order Test 1"; flow:established,to_server; content:"05c04axp1yaqynldtcdiwis0ag1"; fast_pattern:only; content:"test"; http_uri; content:"ethereal"; distance:0; http_uri; sid:30301;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Order Test 2"; flow:established,to_server; content:"05c04axp1yaqynldtcdiwis0ag1"; fast_pattern:only; content:"test"; http_uri; content:"ethereal"; http_uri; distance:0; sid:30302;)

I get this error for 30301 (which is on line 23 in my rules file):

This is Suricata version 4.0.0-dev (rev f27b4fc)
[4349] 29/8/2017 -- 12:25:11 - (suricata.c:1109) <Notice> (LogVersion) -- This is Suricata version 4.0.0-dev (rev f27b4fc)
[4349] 29/8/2017 -- 12:25:12 - (detect-distance.c:131) <Error> (DetectDistanceSetup) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
[4349] 29/8/2017 -- 12:25:12 - (detect.c:371) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Order Test 1"; flow:established,to_server; content:"ethereal"; fast_pattern:only; content:"down"; http_uri; content:" from file /etc/suricata/rules/et-luajit-scripts/../suricata.rules at line 23

This also happens in 4.0.0, 3.2.1, 3.0.2, 2.0.11 and 1.4.7.

These both work as expected and hit on the attached pcap:

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Order Test 1"; flow:established,to_server; content:"05c04axp1yaqynldtcdiwis0ag1"; fast_pattern; content:"test"; http_uri; content:"ethereal"; distance:0; http_uri; sid:30301;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Order Test 2"; flow:established,to_server; content:"05c04axp1yaqynldtcdiwis0ag1"; fast_pattern; content:"test"; http_uri; content:"ethereal"; http_uri; distance:0; sid:30302;)

In the packet, 'content:"05c04axp1yaqynldtcdiwis0ag1";' is after the URI, so in that case the http_uri content are being put in the http_uri buffers otherwise 'content:"ethereal"; http_uri; distance:0;' would fail.

Header:

GET /test/ethereal.html HTTP/1.1
Host: cerberus
User-Agent: Mozilla/5.0 (X11; U; Linux ppc; rv:1.7.3) Gecko/20041004 Firefox/0.10.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: FGNCLIID=05c04axp1yaqynldtcdiwis0ag1

Files

http_gzip.cap (1.67 KB) http_gzip.cap Francis Trudeau, 08/29/2017 01:43 PM

Related issues 2 (2 open0 closed)

Related to Suricata - Bug #1826: Rule validation bug with fast_pattern:only and specified buffersNewOISF DevActions
Related to Suricata - Bug #1926: rule parsing: wrong content checked for fast_pattern (snort compatibility)NewOISF DevActions
Actions

Also available in: Atom PDF